The default Apache virtual host (/etc/apache2/sites-available/default) has a 'Directory' option for the root directory (see below). By disabling the default virtual host these directives and the protections they offer are removed.

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

Applying options to the root directory should probably not be delegated to this virtual host, even if the assumption is that the virtual host will not be disabled.

Moving this section to /etc/apache2/apache2.conf file will not alter the default configuration of the web server and will still protect the root directory even if the default virtual host is removed.

Solution:

Move the 'Directory' directive for the root directory from the default virtual host file to the apache2.conf file (probably above the 'AccessFileName' directives).